Samuel Thibault, on jeu. 03 août 2017 00:26:07 +0200, wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> While parsing dhcp options string in 'dhcp_decode', if an options'
> length 'len' appeared towards the end of 'bp_vend' array, ensuing
> read could lead to an OOB memory access issue. Add check to avoid it.
>
> Reported-by: Reno Robert <renorob...@gmail.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> Signed-off-by: Samuel Thibault <samuel.thiba...@ens-lyon.org>
Oops, this should have mentioned the CVE, I'll redo the pull request,
sorry.
> ---
> slirp/bootp.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/slirp/bootp.c b/slirp/bootp.c
> index 5a4646c182..5dd1a415b5 100644
> --- a/slirp/bootp.c
> +++ b/slirp/bootp.c
> @@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int
> *pmsg_type,
> if (p >= p_end)
> break;
> len = *p++;
> + if (p + len > p_end) {
> + break;
> + }
> DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
>
> switch(tag) {
> --
> 2.13.2
>
--
Samuel
"...[Linux's] capacity to talk via any medium except smoke signals."
(By Dr. Greg Wettstein, Roger Maris Cancer Center)
